696 – potential NULL pointer reference in call_trans2ioctl() when specifying a bad fid

Bug 696 - potential NULL pointer reference in call_trans2ioctl() when specifying a bad fid

Summary: potential NULL pointer reference in call_trans2ioctl() when specifying a bad fid

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	Printing (show other bugs)
Version:	3.0.0
Hardware:	All All

Importance:	P5 minor
Target Milestone:	none
Assignee:	Gerald (Jerry) Carter (dead mail address)
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-10-30 03:06 UTC by YAMASAKI Hiroyuki
Modified:	2005-08-24 10:16 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description YAMASAKI Hiroyuki 2003-10-30 03:06:49 UTC

Sorry for my poor english.

In samba3.0.0/2.2.8a smbd/trans2.c, potentially NULL pointer reference when 
CIFS-client printer-ioctl(?) request with invalid fid. 
file_fsp() can return NULL, and refer fsp->rap_print_jobid unless fsp NULL-
check.

To fix, probably add below code.
-------------------------------------------------
  files_struct *fsp = file_fsp(inbuf,smb_vwv15);
+ if (!fsp) {                                   
+   return(UNIXERROR(ERRDOS,ERRbadfid));  
+ }                                             
-------------------------------------------------

-----------------------------------------------------------------------
static int call_trans2ioctl(connection_struct *conn, char* inbuf,
          char* outbuf, int length, int bufsize,
          char **pparams, int total_params, char **ppdata, int total_data)
{
  char *pdata = *ppdata;
  files_struct *fsp = file_fsp(inbuf,smb_vwv15);
                ^^^^^^^^^^^^^^
  if ((SVAL(inbuf,(smb_setup+4)) == LMCAT_SPL) &&
      (SVAL(inbuf,(smb_setup+6)) == LMFUNC_GETJOBID)) {
    pdata = Realloc(*ppdata, 32);
    if(pdata == NULL)
      return ERROR_DOS(ERRDOS,ERRnomem);
    *ppdata = pdata;

    /* NOTE - THIS IS ASCII ONLY AT THE MOMENT - NOT SURE IF OS/2
      CAN ACCEPT THIS IN UNICODE. JRA. */

    SSVAL(pdata,0,fsp->rap_print_jobid);  /* Job number */
                  ^^^^^^^^^^^^^^^^^^^^^
    (snip)
  } else {
    (snip)
  }
}
-----------------------------------------------------------------------

Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-10-30 07:06:03 UTC

Looks right to me.  Applying it to the SAMBA_3_0/HEAD 
cvs trees.  Thanks.

Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:16:46 UTC

sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.